The White House on Wednesday released the final version of the voluntary cybersecurity standards that President Barack Obama called for the creation of exactly one year ago in an effort to reduce risks to the United States’ critical infrastructure.
But after 12 whole months of development, tech experts aren’t sure if the latest effort to strengthen cybersecurity among the players involved in the nation’s power sector, telecommunications sphere and other at-risk realms meets what they think is warranted.
During his 2013 State of the Union address, Pres. Obama acknowledged that earlier that day he signed an executive order intended to strengthen the country’s cyber defenses “by increasing information sharing and developing standards to protect our national security, our jobs and our privacy.” That executive order compelled the director of the National Institute of Standards and Technology, or NIST, to develop a framework intended to help entities reduce cyber risks faced by the nation’s most crucial assets. Government officials announced one year to the day that they were ready to begin rolling-out those standards to interested industry partners during a White House press conference on Wednesday.
“Threats are becoming more sophisticated,” White House Chief of Staff Denis McDonough said during the event that afternoon, and “…the only way to address these threats effectively is through a true partnership between the government and the private sector.” Soon, however, participation in the program is expected to be mandated among government contractors.
When the president signed the order last February, he warned that the threat from cyberattacks has worsened in recent years and cited money-hungry hackers and malicious foreign nation-states as being among the biggest culprits behind attacks on America’s computer systems. One year later that threat has arguably only intensified — especially in light of the recent security breaches suffered at the hands of Target, Neiman Marcus and others — and the Obama administration hopes that companies that consider adopting the new framework will find themselves less likely to be brought down by highly-skilled hackers.
The framework, its authors write, “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.” According to its executive summary it “enables organizations – regardless of size, degree of cybersecurity risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure” by providing “organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines and practices that are working effectively in industry today.”
Over the course of 47 pages, the document outlines a framework composed of five core functions — identify, protect, deter, respond and recover — intended to provide participating entities with a strategic view of how they match up against varying levels of attack. Elsewhere it shows participants how to align with best practices crucial to protecting the systems of critical infrastructure components, and how those groups can manage themselves to assess all sorts of potential risks.
Critical infrastructure, as defined in that report, is composed of “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters,” and includes private sector businesses ranging from telecommunication providers to utility companies.
The framework announced this week doesn’t require any companies or corporations to sign on, however, and absent monetary incentives it could make little difference in coercing cooperation from the private sector.
Originally, the US government considered actions that would have awarded companies that follow the framework by providing assistance in acquiring the upgrades required to wrestle against cyberattacks. That offer has been erased from the finalized framework, however, much to the chagrin of some who saw those measures as a way to attract otherwise unwilling participants that aren’t interested in adopting purely voluntary standards.
“Six months ago the message we were hearing is that incentives were coming,” Robert Dix, vice president of government affairs for California's Juniper Networks told Bloomberg BusinessWeek in a recent telephone interview. “Virtually nothing has been done to move the needle on any incentives that are going to be economic motivators for investments.”
“If the framework isn’t cost effective and isn’t supported by incentives, it’s hard to see how it can work on a sustainable basis,” added Larry Clinton, the president of the Internet Security Alliance, which represents General Electric, among others.
Indeed, Dix and Clinton’s trade group are not alone. On Tuesday this week, the Information Technology Industry Council — which includes Apple, Google, IBM, Intel and Symantec — released a statement which in part objected to the lack of incentives being offered a year after they were all but assured.
“Given limited fiscal resources and the complexity of incentives, including the necessary involvement of multiple stakeholders including Congress, it is highly unlikely any will be available at, or immediately following, the February 2014 launch” of the framework, that group said.
Others have applauded the framework, albeit while still expressing some reservations about the final report.
"The voluntary cybersecurity framework provides a number of useful guideposts for companies who want to better secure their data," Greg Nojeim of the DC-based Center for Democracy and Technology wrote in a statement released Wednesday afternoon. "The framework will be useful to companies and their privacy officers, because it will remind them that processes should be put in place to deal with the privacy issues that arise in the cybersecurity context."
"However, we are concerned that the privacy provisions in the framework were watered down from the original draft," added Nojeim. "We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended. As the framework is implemented, we are hopeful that such privacy protections are further developed and become standardized."
Even Michael Chertoff, the former secretary of the Department of Homeland Security under President George W. Bush, told POLITICO last week that he thinks the framework lacks the necessary support from other aspects of the US government. Without that, he said, it might not be enough to protect critical infrastructure components.
“Either Congress will have to really put some muscle behind it, or the regulators … will have to pick up the baton,” said Chertoff. “I wouldn’t say we’re at the end of the journey.”
Even those unwilling to adopt the voluntary standards will have other options to protect their computers, though. Current DHS Secretary Jeh Johnson announced during Wednesday’s conference that his office has established the Critical Infrastructure Cyber Community Voluntary Program, or C-Cubed, to give companies that provide critical services like cell phone, email, banking and energy free and direct access to cyber security experts within the DHS who have knowledge about specific threats facing the country, as well as ways to counter those threats and recover.
“The C-Cubed Voluntary Program will serve as a point of contact and customer relationship manager to assist organizations with framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Cybersecurity Framework,” Johnson’s department said in a statement published on Wednesday.